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(57) Abstract: This invention relates to a method for generating a shared secret value between entities in a data communication 
system, one or more of the entities having a plurality of members for participation in the conununication system, each member 
having a long term private key and a corresponding long term public key. The method comprises the steps of generating a short term 
private and a corresponding short term public key for each of the members; exchanging short term public keys of the meml>ers within 
an entity. For each member then computing an intra-entity shared key by mathematically combining the short term keys of each of 
the members computing an intra-entity public key by mathematically combining its short-term private key, the long term private key 
and the intra-entity shared key. Next, each entity combines intra-entity public keys to derive a group short-term Si public key; each 
entity transmitting its intra-entity shared key and its group short term public key to the other entities; and each entity computing a 
conGonon shared key K by combining its group short term public key (SO. with the intra-entity shared key (XJ, and a group short term 
pubUc (Si) key received firom the other entitites. 
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SPLIT-KEY KEY-AGREEMENT PROTOCOL 



The present invention relates to the field of key agreement protocols in cryptographic 
systems. 

5 

BACKGROUND OF THE INVENTION 

Traditionally, entities communicated on paper and were able to ensure privacy in 
many ways. The transition from paper to electronic media however, has created the need for 
electronic privacy and authenticity. In cryptographic schemes, the entities use primitives, 

10 which are mathematical operations together with encoding and formatting techniques to 
provide security. For each scheme the parties participating in the scheme normally agree 
upon or exchange certain information before executing the scheme function. The specific 
information that needs to be agreed upon is detailed for each scheme. Such agreement may 
be achieved by any means suitable for the application. It may be implicitly built into the 

15 system or explicitly achieved by some sort of exchange of information with or without 

involvement from other parties. In particular, parties often need to agree on parameters and 
obtain each other's public keys. For proper.security, a party needs to be assured of the true 
owners of the keys and parameters and of their validity. Generation of parameters and keys 
needs to be performed properly and, in some cases, verification needs to be performed. 

20 In general, the different types of schemes may be defined as follows. Key agreement 

schemes, in which two parties use their public, private key pairs and possibly other 
information, to agree on a shared secret key. A signature scheme with appendix is a scheme 
in which one party signs a message using its private key and any other party can verify the 
signature by examining the message, the signature, and the signer's cross corresponding 

25 public key. In signature schemes with message recovery, one party signs a message using its 
private key and any other party can verify the signature and recover the message by 
examining the signature and the signer's corresponding public key. Finally, in encryption 
schemes, any party can encrypt a message using the recipient's public key and only the 
recipient can decrypt the message using its corresponding private key. 

30 An example of a key derivation scheme is the MQV (Menezes-Qu-Vanstone). In the 

MQV scheme, a shared secret value is derived from one party's two key pairs and another 
party's two public keys where all the keys have the same discrete log (DL) parameters. In 
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this generalized MQV scheme, it is assumed that the shared secret value is that which is 
shared between two parties. 

However, where each party or entity consists of a collection of parties say A = { Ai, 
A2. . .An} and B = {Bi, B2, . . .B^} where m is not necessarily equal to n and at least one of m 
5 or n is at least two (that is, not both A and B consist of one individual), it is difficult to 

implement the generalized MQV scheme if these two entities wish to establish a common key 
in order to communicate privately. 

SUMMARY OF THE INVENTION 
10 Accordingly, the present invention seeks to provide a solution to the problem of 

establishing a common key for private communication between entities wherein the entities 

include a collection of sub entities. 

An advantage of the present invention is that all members of each entity must 

participate in the scheme and no subcoUection of either entity can impersonate its entire 
15 entity. 

In accordance with this invention there is provided a method for generating a shared 
secret value between entities in a data communication system, one or more of the entities 
having a plurality of members for participation in the commimication system, each member 
having a long term private key and a corresponding long term public key, the method 
20 comprising the steps of: 

(a) generating an entity long term private key and corresponding entity long term 
public key for each entity by combining the long term private and public keys of 
each members of the entity. 

(b) generating a short tenn private and a corresponding shon term public key for each 
25 of the members; 

(c) exchanging short term public keys of the members within an entity; 

(d) for each member: 

i. computing an intra-entity shared key by mathematically combining said 
short term public keys of each said member; 
30 ii. computing an intra-entity public key by mathematically combining its 

short -term private key, the long term private key and said intra-entity 
shared key; 
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(e) for each entity combining inira-entity public keys to denve a group shon-term 
public key; 

(f) each entity transmitting its intxa-entity shared key and its group short term public 
key to said other entities; and 

5 (g) each entity computing a common shared key K by combining its group short term 

public key, with the intra-entity shared key, and an entity long term public key 
received from the other entity. 



1 0 BRIEF DESCRIPTION OF THE DRAWINGS 

A preferred embodiment of the invention will now be described by way of example 
only with reference to the accompany drawings in which: 
Figure 1 is a schematic diagram of a communication system; and 

Figure 2 is a schematic diagram illustrating the steps of a protocol to establish a common 
15 key. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS ^ 

Referring to figure 1, a schematic diagram of a communication system is shown 
generally by numeral 10. The system 10 includes a first entity A (12) and a second entity B . 

20 (14) that exchange data over a communication channel 16. Each of the entities A and B 
include members Ai , A2 . . . An, and B i , B2 . . .Bn, respectively. For convenience, the 
embodiment described has two members Ai, A2 and 61,62 although it will be appreciated 
that typically each entity will have several members. It is assumed the entities A and 6 
include processors for performing cryptographic operations and the like. The members Ai, 

25 A2 may for example be a first group of users on a local area network (LAN) that wish to 

communicate securely with a second group of users 61, 62 on a second LAN or even on the 
same LAN. In either case the computations may be performed for the entities A (12) and B 
(14) by for example a LAN server 18 or the like, provided that each member has its own 
secure boundary. 

30 Each entity and its associated members A, B\ have been initialized with the same 

system parameters. The system parameters for this exemplary protocol are an elliptic curve 
point P, which is the generating point of an elliptic curve over Fi^ of order n. Additionally, 
each of the members is initialized with respective long-term public and private key pairs. 

3 
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That is, each of the members Aj has long temi private and public key pairs (aj, ajP) and each 
of the member B, have long term private and public key pairs (bj, bjP), respectively. 

Each of the entities A, B generates respective long-term public keys derived from the 
long-term public keys of each of its members. The long-temi private key a of the entity A is 
5 then (ai + a2 . . . an) and its corresponding long-term public key, aP, is (ai + a? + . . . an) P. In 
the present example the key pair (a, aP) of entity A is (ai + a:) ; (ai + a2)P. Similarly, for 
entity B its long-term private key b is (bi + b2) and its corresponding long-tenn public key is 
bP (bi + b2) P. The entity long-temi public keys aP, bP can be computed by summing the 
members public keys. The entity public keys are published by the respective entities, and if 
10 appropriate certified by a trusted authority or CA trusted by all of the entities. 

Typically, entities A (12) and B (14) wish to agree upon a common key, which may 
then be used for subsequent cryptographic communications between the activities. 

Referring thus to figure 2, a schematic diagram of an embodiment of a suitable 
protocol is shown generally by numeral 40. The member Ai generates a random value xi ( 
15 its short-term private key, also known as ephemeral or session key) and computes a 
corresponding value X|P (its short-term public key); similarly, member A2 generates a 
random value X2 and computes a corresponding value X2P. Preferably 0 < aj < n-1 and 0 < Xi < 
n-1. Next, the members of the entity A exchange their session public keys XiP. In the present 
example, A2 and A\ exchange their session public keys xiP and X2P denoted Xi and X2 
20 respectively. This may be termed a first intra-entity key exchange. 

Next, member Ai computes r = xi? + X2P and similarly, entity A2 computes r = X2P + 
XiP. Thus, establishes an intra-entity shared key available and containing a contribution from 
each member of the entity. 

The entity A transmits the intra-entity shared key r to the entity B with whom it 
25 wishes to establish a common key K. 

Next, member Ai computes a short temi intra-entity public key si using its short term 
private key and long term private key combined with a function f of the intra-entity public 
key, that is s, = xi 4- ai f (r) (mod n), where f is typically a hash function such as SHA-1 and 
n is the order of the curve. Similarly, membier A2 computes its intra-entity public key S2 = X2 
30 +a2f(r)(modn.). 

The entity A computes an entity or group short term public key, which is derived from 
a summation of the intra-entity public key of each member s = S| + S2 = xi+ X2 + (ai + a2) f (r) 
mod (n). 
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The entity B similarly computes the analogous information using its own public and 
private keys using the same computations performed by entity A. Thus, each member of B 
computes a intra-entity shared key r using the short term public keys of each of the members 
and r is forwarded to entity A. Next, each of the members in B compute their own intra- 
5 entity public key tj = yi -5" bj f ( r ) mod (n) and computes the group short-term public key t = 

tl+t2. 

The entity A then computes a value K which is the shared key between the entities A 
and B by retrieving the long temi public key, bP, of entity B and computing K = s ( r + (bP) f 
(r )) = s(t)P. The entity B also retrieves the long term public key aP of entity A and 
10 computes K using t, r, and aP, i.e. K = t(r + aP.f(r)) = t(s)P. 

Consequently, if a member of the entity A, either Ai or A2, is not present in the 
scheme then the group short term public key, s, changes, as does the value for K. Therefore, 
communication with entity B would not be successful without establishing a new session. 
Similarly, if either Bi or B2 is not present in the scheme then the group short term public key, 
15 t, changes, altering the value of K. In this case, communication with A would not be 
successful without establishing a new session. 

Accordingly, the present protocol ensures that all members of each entity must 
participate in the scheme and no sub-collection of either entity can impersonate its entire 
entity. 

20 Although the above scheme has been described with respect to the elliptic curve 

systems which is an additive group, it may analogously be used in multiplicative groups. 
Furthermore the above protocol although exemplified with two members per entity, may be 
generalized where each party or entity consists of a collection of members say A = {A|, 
A2 . . .An} and B = (81,82, . . .Bm} where m is not necessarily equal to n and at least one of m 

25 or n is at least two (that is, not both A and B consist of one individual). 

Although the invention has been described with reference to certain specific 
embodiments, various modifications thereof will be apparent to those skilled in the art 
without departing from the spirit and scope of the invention as outlined in the claims 
appended hereto. 

30 
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THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE 
PROPERTY OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS: 



I. A method for generating a shared secret value between entities (A,B) in a data 

communication system, one or more of said entities having a plurality of members (Aj, B,) 
for participation in said communication system, each member having a long temi private 
key and a corresponding long term public key said method comprising the steps of: 

a) generating an entity long term private key and corresponding entity long term 
public key for each entity by combining the long term private and public keys of 
each members of the entity. 

b) generating a short term private and a corresponding short term public key for 
each of the members; 

c) exchanging short term public keys of the members within an entity; 

d) for each member: 

iii. computing an intra-entity shared key by mathematically combining said 
short term public keys of each said member; 

iv. computing an intra-entity public key by mathematically combining its 
short -term private key, the long term private key and said intra-entity 
shared key; 

e) for each entity combining intra-entity public keys to derive a group short-term 
public key; 

f) each entity transmitting its intra-entity shared key and its group short term public 
key to said other entities; and 

g) each entity computing a common shared key K by combining its group short term 
public key, with the intra-entity shared key, and an entity long term public key 
received from the other entity. 

2. A method as defined in claim 1, said long term public key being derived from a generator 
point P and respective ones of said long term private keys. 

3. A method as defmed in claim 2, said step (a) including each member selecting a random 
integer Xj and multiplying said point P by a to obtain XjP, the short term public key. 

6 
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4. A method as defined in claim 3, said intra-entity-shared key being computed by smnming 
said short term pubhc keys. 



5. A method as defined in claim 4, said intra-entity public key Si being derived by 
computing Si= xj + aj f(ZxiP), where f is a hash function, 

6. A method as defined in claim 5, said group short term public key being derived by 
computing Z sj. 

7. A method as defined in claim 1 , said long term public keys being derived fi^m a 
generator g and respective ones of said long term private keys. 

8. A method as defined in claim 7, said step (a) including the step of each member selecting 
a random integer (Xij ) and exponentiating a fimction h(g) including said generator to a 
power g(xij) to obtain the short term public key Xy = h(g) ^^^'^^ 

9. A method as defined in claim 8, said intra-entity shared key (Xj) being computed by^each 
entity multiplying each of its short-term public keys Xy together. 

10. A method as defined in claim 1 , including the step of exchanging the entity long term 
public key between entities. 

1 1. A method as defined in claim 10, each entity computing a common shared key K by 
combining its group short term public key (Sj), with the intra-entity shared key ( Xi ) , and 
an entity long term public key received firom the other entity. 
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